SSCP or CISSP: Which is Better?
Cybersecurity is IT Job No. 1 for most organizations — and the demand for qualified security professionals has never been higher. There are several bodies offering security certifications and the International Information System Security Certification Consortium, or (ISC)2, is one of the best known.
Their marquee security certification is the Certified Information Systems Security Professional (CISSP), arguably one of the most difficult and valuable security certifications.
Early-career security professionals could find the CISSP daunting and may look to the (ISC)2 Systems Security Certified Practitioner (SSCP), or to another accreditation, as their on-ramp to certification.
Let's dig deeper into these two (ISC)2 certifications. We'll take a look at what's entailed in earning them, their career value, and the 'pros and cons' of each.
Certified Information Systems Security Professional (CISSP)
This certification is for experienced cybersecurity professionals — technicians, managers, and executives. In order to earn CISSP certification, candidates must pass a three-hour, 100-to-150 question computer adaptive testing exam. In addition, they must provide verifiable proof of five years of full-time employment — or work-experience — in two or more of the following eight CISSP security domains defined by (ISC)2:
Security and Risk Management
Security Architecture and Engineering
Communications and Network Security
Identity and Access Management
Security Assessment and Testing
And that's not all. Once the candidate has passed the CISSP exam, they must be endorsed by an active (ISC)2 credential holder before they are awarded their CISSP cert.
Note that if you pass the CISSP exam, but do not have the required years of experience, (ISC)2 will recognize you as a CISSP Associate while you acquire the necessary domain experience.
Given all this effort, it's reassuring that in their current Guide to the CISSP, (ISC)² claims that salaries for CISSP-certified professionals average over $130,000. Also, as of September 2019, CISSP was the security certification most in-demand according to the CyberSeek interactive cybersecurity supply/demand map of job postings.
Systems Security Certified Practitioner (SSCP)
Whereas CISSP is for experienced professionals, the SSCP is an early-career certification from (ISC)2, which requires only a single year of relevant cybersecurity experience. SSCP differs in that its focus is on practical, technical aspects of security, while the CISSP emphasizes process.
(ISC)2 says that SSCP is for people in engineering and admin roles, whereas CISSP is for senior IT leaders — architects, auditors, and consultants, as well as IT managers and executives. The SSCP is equivalent to, but not as well-known as, CompTIA's Security+ certification.
SSCP candidates must pass a three-hour, 125-question exam that assesses their mastery of the following security domains:
Security Operations and Administration
Risk Identification, Monitoring and Analysis
Incident Response and Recovery
Network and Communications Security
Systems and Application Security
SSCP candidates must have at least one year of verifiable work experience in one or more of the SSCP security domains. If you have a degree in a cybersecurity program, then you may be granted a waiver for the year of experience.
As with the CISSP cert, SSCP candidates must be endorsed by an active (ISC)2 credential-holder before they are awarded their cert.
CISSP vs. SSCP
Frankly, it is not a question of one cert versus the other. They represent different spaces on the spectrum of cybersecurity expertise and experience.
If you're in an early career security position and are looking for a way to establish credibility, then SSCP is a good starting point.
Do you already know that you want to pursue an IT leadership position? If that's the case, then the CISSP should be your long-term goal! You could earn the SSCP first and later go for the CISSP as you acquire the security work experience.
But hold on, if the CISSP is your target, then you could go for the CISSP exam and become a CISSP Associate. While it's not the same as a full-fledged CISSP, the associate-level badge is recognized in the U.S. government sector and may also be accepted by some companies.
Note that all (ISC)2 certifications are valid for three years and must be renewed through required ongoing continuing professional education. Certificate holders must also be current with their (ISC)2 annual membership fees.
Government Sector Opportunities
Both SSCP and CISSP are recognized as U.S. Department of Defense (DOD) baseline certifications, which identify specific certs for various levels of IT technician, manager, and architect/engineer jobs in the Federal Government.
SSCP is approved for Levels I and II Information Assurance Technician (IAT) jobs. CISSP (or CISSP Associate) is a baseline cert for Level III IAT jobs, as well as for jobs at Level II or III Information Assurance Manager (IAM) and Level I and II IA System Architects and Engineers (IASAE).
Level III architect/engineer jobs require the next level CISSP architecture or engineering concentrations.
As you might expect, you'll command a bigger salary if you're CISSP-certified. (ISC)2 itself claims an average CISSP salary of $131,030 compared to $93,240 for an SSCP.
A search of the Indeed.com/ job site provides some support for those numbers. A search for full-time jobs requiring CISSP certification returned an average salary of $94,000, but showed nearly one half offering from $100,000 to $125,000 or more.
A search for SSCP jobs returned an average salary of nearly $82,000, with just under half offering $90,000 or more. The (ISC)2 brand must add value, because jobs for the equivalent CompTIA Security+ certification showed an average salary of only $72,395.
So, what's the bottom line? Both CISSP and SSCP are valuable, well-paying cybersecurity credentials. Demand for CISSP in particular is reportedly higher than the number of professionals certified.
CBT Nuggets provides online training for both certification paths. If SSCP is your target, we can help with our (ISC)2 Security SSCP training.
Check out our (ISC)2 CISSP 2018 playlist. Our recent blog post shows how you can create your own CISSP study plan to help you learn the CISSP material and prepare to take the exam. By the way, you'll also be able to take advantage of the CISSP2018 practice exams.